Different types of malicious activity may affect a computer network. In a first type of activity, an entity (such as a user) may utilize resources within the computer network in an unauthorized manner. For example, a user may attempt to retrieve files from a database to which he or she has no access privileges. In a second type of activity, an entity may “infect” resources with malware of various types. For example, an entity may install spyware on a machine within the computer network; once activated, that spyware may accesses a remote server in an unauthorized manner or perform some other undesirable action. In either case, malicious activity can cause significant damage to the computer network. It can also result in security breaches that jeopardize sensitive information (such as financial information, patient record information, and so on).
Understandably, organizations and other affected parties remain highly motivated to reduce the risk of malicious activity in computer networks. In one approach, a corporation may provide a network security tool for automatically detecting and acting on incidents of malicious activity. For example, such a tool may provide a database of heuristic rules. These rules may express the characteristics of different types of known malicious behavior. If the tool discovers behavior that matches a rule, it can take actions to terminate the malicious activity, or at least mitigate its effects.
But known tools are not fully satisfactory. Malicious activity exhibits a vast number of different strategies. Further, these strategies quickly evolve. Hence, a tool that relies on a fixed database of rules may fail to detect all types of malicious activity. To address this concern, a tool may provide an interface which allows a human analyst to manually investigate incidents of possible malicious behavior. However, a computer network handles an enormous number of transactions, even within a relatively short span of time. Hence, this type of interactive approach can quickly become burdensome to the analyst, who may be asked to investigate an overwhelming number of incidents.